Hi all,
we have recently replaced a customers firewall with two XGS 126 in active/passive cluster. During the implementation we experienced some issues we wanted to discuss here to find a solution, if possible. I already did some research in the Sophos forum but did not find viable solutions yet.
1. Firewall rules between VLANs/subnets
There is still a question open where we still did not receive a valid answer, maybe someone knows a fix now? :-)
https://community.sophos.com/sophos-xg-firewall/f/discussions/131527/understanding-issue-with-firewall-rules-between-lan-subnets
2. SSLVPN only supports PAP for RADIUS authentication
According to the following article, XG currently only supports PAP for RADIUS authentication in SSLVPN. Is there any plan to add support for MS-CHAPv2 in the future? The old firewall did support MS-CHAPv2 so this is currently a deterioration in security.
Sophos Firewall: Set the authentication method for VPN users
3. User portal, SSLVPN and Azure MFA - authentication issues
Azure MFA worked flawlessly before with the old firewall so no MFA/user issues here. With Sophos, we have configured RADIUS authentication and Azure MFA according to the following article:
When we enable RADIUS authentication for the user portal and/or SSLVPN, the authentication fails with different errors:
- User portal: <User> failed to login to Firewall through RADIUS authentication mechanism from <IP> because of Login failed
- SSLVPN: <User> failed to login to Firewall through RADIUS authentication mechanism from <IP> because of access not allowed
However, if we do a connection test with both servers, it works without any issue - the authentication prompt appears in the app, I approve the request and the test is successful.
Is there anything else to configure to get this to work with user portal and SSLVPN login?
4. Login with UPN
With the old firewall it was possible to login either via sAMAccountName or UPN. Currently, users are only able to login with sAMAccountName. Is there any way to enable login with UPN as well because it is more convenient for users?
5. Routing question
The AD domain controllers are located in different sites - NPS is installed on them (no other servers available, please do not ask any questions about that ;-):
- 1 DC in the main office where also the firewalls are located --> direct connectivity
- 1 DC in Azure --> indirect connectivity via S2S VPN
At first, RADIUS requests got rejected on the Azure DC as they originate from an SSLVPN IP - obviously, the Sophos routes the RADIUS requests via its SSLVPN interface (172.16....) instead of its internal IP address (10.51....). Is this by design or do we need to add routing configuration or anything else to correct this behaviour?
Thanks for reading and in advance for your replies!
Best regards
Ben
This thread was automatically locked due to age.